CVE-2025-66614

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 11.0.0-M1 through 11.0.14 Apache Tomcat versions 10.1.0-M1 through 10.1.49 Apache Tomcat versions 9.0.0-M1 through 9.0.112 Apache Tomcat versions 8.5.0 through 8.5.100

Description Tomcat did not properly validate the host name provided through the Server Name Indication (SNI) extension against the host name in the HTTP host header field. This issue arises when Tomcat is configured with multiple virtual hosts, where TLS configurations differ – specifically, when one host requires client certificate authentication while another does not. A client could potentially bypass client certificate authentication by sending mismatched host names in the SNI extension and the HTTP host header. The issue is only relevant when client certificate authentication is enforced solely at the Connector level and does not apply if enforced within the web application.

Recommendations Apache Tomcat versions 11.0.0-M1 through 11.0.14: Upgrade to version 11.0.15 or later. Apache Tomcat versions 10.1.0-M1 through 10.1.49: Upgrade to version 10.1.50 or later. Apache Tomcat versions 9.0.0-M1 through 9.0.112: Upgrade to version 9.0.113 or later. Apache Tomcat versions 8.5.0 through 8.5.100: Upgrade to a more recent version.